[
https://issues.apache.org/jira/browse/NIFI-3331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867384#comment-15867384
]
ASF GitHub Bot commented on NIFI-3331:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1491
I added some unit tests for the certificate issuance with SANs and the CSR
generation. I also wrote some harness code which executed the CSR generation
and visually inspected it for the presence of the SANs:
```
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
🔓 8s @ 21:21:42 $ openssl req -text -noout -in csr.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=testCaHostname, OU=NIFI
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:95:1f:2f:f5:0e:a8:94:27:0e:3e:da:89:eb:e6:
8a:7b:9d:54:43:03:eb:5b:dd:fc:3a:39:a3:8b:f5:
e3:1f:f7:00:32:d5:4c:f9:55:e6:4c:04:80:97:c5:
80:3b:92:22:a4:34:a9:3c:72:18:09:03:56:8f:18:
74:f9:f7:5d:0a:7f:37:32:16:6b:8a:84:f3:c8:71:
ce:1d:92:9f:e2:06:7d:bf:92:73:c8:11:d9:54:46:
e6:3a:4f:4e:6d:90:e3:f6:ee:91:11:6a:66:0c:4c:
1f:91:76:96:76:2e:c6:ff:35:e9:c5:1f:51:0c:cb:
ba:5d:39:24:b6:dd:67:75:84:35:c2:a5:5e:a0:ad:
53:13:ca:ba:67:8f:07:ef:e7:b0:63:65:09:48:d6:
c0:77:61:c2:77:8a:b8:f1:f8:2e:1f:41:db:4f:49:
55:ca:01:ab:4c:a7:8a:3f:2f:89:23:7c:89:01:e1:
56:3b:a9:3a:2b:fe:e2:66:85:2a:4e:8b:9c:5f:ac:
7c:45:d3:9b:92:3c:b5:5c:36:83:7c:71:5c:33:83:
7d:20:e4:b5:1a:62:94:93:6a:36:5c:cc:38:63:4e:
f6:70:58:04:04:62:bd:a5:27:a8:33:1c:c4:a6:50:
bd:7b:a5:de:01:6d:8e:70:1b:51:ed:b3:d2:6f:e0:
4f:f1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:127.0.0.1, DNS:nifi.nifi.apache.org
Signature Algorithm: sha256WithRSAEncryption
2b:aa:b5:d3:a6:97:44:e2:cb:28:26:5e:6d:f6:3b:cc:66:a1:
5b:c7:46:6d:52:30:da:99:12:a5:9e:04:d9:9c:26:17:a0:07:
75:e6:53:80:ae:93:fc:9b:3b:f4:e9:b2:94:4e:7b:d2:89:d0:
ab:c3:9d:03:39:c6:c9:e1:ea:0d:c6:14:72:0d:06:43:4d:64:
a0:cb:e0:ef:58:d7:d6:69:32:7f:6b:30:1a:03:54:f6:e4:49:
5e:29:58:d5:e3:e8:17:c2:cc:30:28:e0:4a:85:59:fe:d6:ad:
e1:4d:62:99:52:99:49:b5:f7:54:b8:7f:eb:b6:50:c8:0d:5c:
2f:d6:26:28:33:5c:53:b5:50:13:7f:08:5b:35:fb:ef:9a:48:
b1:fa:fd:39:c6:9f:96:ef:99:37:bc:a8:60:13:09:1f:27:3d:
67:41:33:dc:5d:48:b4:43:dc:69:9b:0b:93:14:6e:40:07:84:
22:27:ee:be:6b:07:91:99:e2:20:c5:94:bd:49:d3:3b:3d:56:
75:b8:bf:1c:bf:56:ff:42:64:04:c0:68:ed:1b:f6:fd:4f:ab:
89:e1:4e:e0:d8:6b:f1:a2:2b:81:1a:c1:9e:41:18:b9:2c:6d:
3f:31:c1:bc:70:2a:2a:9a:29:91:3f:d4:94:a5:65:54:2e:03:
1d:f5:96:83
```
All tests pass, contrib-check passes, +1 and merging.
> TLS Toolkit - add the possibility to define a SAN in issued certificates
> ------------------------------------------------------------------------
>
> Key: NIFI-3331
> URL: https://issues.apache.org/jira/browse/NIFI-3331
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: Pierre Villard
> Assignee: Pierre Villard
> Labels: tls-toolkit
> Fix For: 1.2.0
>
>
> To ease the deployment of a load balancer in front of NiFi, it would be nice
> to allow users to define a SAN in certificates issued by the CA.
> To load balance the access to the UI or even with a ListenHTTP processor,
> both will cause errors with a "Host mismatch" kind of error because of
> different fqdn between nodes certificate and LB certificate. This is also
> discussed here: http://stackoverflow.com/questions/40035356/nifi-load-balancer
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
